Insecure Cryptographic Storage is a common vulnerability that occurs when sensitive data is not stored securely. Insecure Cryptographic Storage isn’t a single vulnerability, but a collection of vulnerabilities. The collection all have to do with making sure your most important data is encrypted when it needs to be. This includes:
making sure you are encrypting the correct data
making sure you have proper key storage and management
making sure that you are not using known bad algorithms
making sure you are not implementing your own cryptography, which may or may not be secure.
Developers often assume that data storage will not be examined by an arbitrary user. But many users of an application or program have access to the registry, temporary files, and databases. It’s possible for these users to access sensitive data in its unencrypted format using temporary, hidden, and registry files. It is also possible for an attacker to gain access using another one of the OWASP Top 10 vulnerabilities such as Direct Object Access.
Developers should identify all sensitive data and encrypt that data even when it’s stored on a hard drive. Ensure that sensitive data cannot be easily overwritten and overwrite sensitive memory locations immediately. Additionally, identify the people who should and shouldn’t have knowledge of secrets such as proprietary algorithms, encryption keys, and DRM. In most cases, it’s recommended to hide these secrets from even the administrator. Additionally, identify all sensitive data read into the memory and overwrite it with random data.
To ensure secure storage of sensitive data, follow these steps:
Identify all sensitive data and encrypt it even when it’s stored on a hard drive
Ensure that sensitive data cannot be overwritten
Overwrite sensitive memory locations immediately after the data is no longer needed in memory
Identify people who should and shouldn’t know secrets
Keep secrets such as proprietary algorithms, encryption keys, and DRM even from the administrator
Identify sensitive data read into memory, overwrite it with random data, and use strong encryption to safeguard it
How to Detect and Secure Insecure Cryptography Storage Issues
The ways to detect and fix cryptographic storage issues fall into two camps.
On one side you have flaws such as improper key management or not encrypting the correct data. The way to fix these is to sit down and look at what the scope of your application is, look at internal business processes and review ways to make sure that you are following best practice.
On the other hand, issues like implementing your own insecure cryptography or using known insecure algorithms can be fixed by using a whole variety of security scanning tools.